chore(ci): gate depot ci-backend shadow behind toggle variable

[rnegron]

Problem

The Depot CI-backend shadow (added in the depot ci-backend shadow timing-trial PR (#53803)) auto-runs on every pull_request, merge_group, and master push, consuming Depot CI on each. We want it dormant now, but with an easy on/off switch — re-enabling shouldn't require another PR.

Changes

Instead of stripping the triggers, the workflows keep their canonical triggers and gate execution on a CI_ENABLE_DEPOT_SHADOW variable. The two files run on different CI systems and therefore read the variable from different stores:

File	Runs on	Reads vars.* from	Set the toggle via
.depot/workflows/ci-backend.yml	Depot CI	Depot's own variable store	depot ci vars add CI_ENABLE_DEPOT_SHADOW=true --repo PostHog/posthog
.github/workflows/ci-backend-shadow-drift.yml	GitHub Actions	GitHub repo variables	GitHub → Settings → Secrets and variables → Actions → Variables

• .depot/workflows/ci-backend.yml: triggers restored to match canonical (push: master, pull_request, merge_group, workflow_dispatch). Gated on vars.CI_ENABLE_DEPOT_SHADOW == 'true' at two jobs — changes (the root of the needs graph, so gating it short-circuits every downstream job via the existing needs.changes.outputs.* cascade) and django_tests (runs with always(), so it would otherwise survive the skip cascade). All job logic is otherwise untouched.
• .github/workflows/ci-backend-shadow-drift.yml: pull_request: paths trigger restored and the check job gated on the same-named GitHub variable, so drift enforcement tracks the shadow's on/off state.

The variable is currently unset in both stores, so merging this leaves the shadow off — same end state as a hard disable. Re-enabling is a variable flip in both stores, no code change.

On the name

CI_ENABLE_DEPOT_SHADOW is valid in both stores: Depot reserves the DEPOT_ prefix (an earlier DEPOT_CI_SHADOW_ENABLED was rejected by depot ci vars), and GitHub only reserves the GITHUB_ prefix. CI is a default environment variable on runners, but that namespace is separate from the vars.* context, so there's no collision.

How did you test this code?

I'm an agent. No automated tests apply to a CI trigger/gating change. Verified:

• Both YAML files parse (yaml.safe_load) and the three if: gates resolve to the expected jobs (changes, django_tests, check).
• The depot shadow's triggers again match canonical and the net diff vs master is additive (comments + gates).
• Via the depot CLI that the variable store is Depot-side and repo-scoped: depot ci vars list --repo PostHog/posthog shows the existing OIDC_RSA_FAKE_PRIVATE_KEY, confirming .depot/ workflows read Depot variables (not GitHub).

🤖 Agent context

Authored by Claude Code (Opus 4.8) at Raúl's direction. The first revision disabled the shadow by reducing both workflows to workflow_dispatch; the ask was a variable-gated toggle so the shadow flips on/off without editing files.

Key decisions and corrections:

• Gated only the root changes job and the always() django_tests collator rather than annotating all ~10 jobs, since every other job already short-circuits through the needs.changes.outputs.* cascade.
• Initially assumed the depot shadow read vars from GitHub repository variables. That was wrong — depot ci vars is a separate Depot store (repo-scoped to PostHog/posthog), and the .github/ drift check reads GitHub variables. The toggle therefore lives in two stores under the same name.
• Variable named CI_ENABLE_DEPOT_SHADOW to clear Depot's reserved DEPOT_ prefix while staying valid on GitHub.

[greptile-apps]

_{Reviews (1): Last reviewed commit: "chore(ci): disable depot ci-backend shad..." | Re-trigger Greptile}

[deployment-status-posthog]

Deploy status

Environment	Status	Deployed At	Workflow
dev	✅ Deployed	2026-06-02 13:29 UTC	Run
prod-us	✅ Deployed	2026-06-02 13:45 UTC	Run
prod-eu	✅ Deployed	2026-06-02 13:46 UTC	Run